Mystery IP Address

A couple of months ago Steve noticed a lot of hits to the new company website from three IP addresses in the 38/8 block. By a lot of hits I mean something like 75% of the total traffic. The MaxMind database we use to generate region and ISP information for the traffic reports said that these addresses belonged to "Performance Systems International". Steve googled for this company and came up with a whole lot of blog and forum posts that claimed this company was home to a rogue bot that has plagued a lot of people.

I decide to dig a little deeper because most of the links that Steve sent me seemed to be a little under informed. Here's what I found:

"Performance Systems International" is the original name of PSINet which was an early tier 1 ISP. PSINet was eventually acquired by Cogent. Cogent currently owns the 38/8 ip space.

Apparently Cogent hasn't done a swip mapping for the particular addresses: 38.98.136.241, 38.98.136.242, 38.98.136.243 that the bot is coming from. Cogent does however run their own rwhois server that records the sub network assignment:

$ whois -h rwhois.cogentco.com -p 4321 38.98.136.241
%rwhois V-1.5:0010b0:00 rwhois.cogentco.com
38.98.136.241
network:ID:NET-266288E01B
network:Network-Name:NET-266288E01B
network:IP-Network:38.98.136.224/27
network:Org-Name:Ambiron, LLC
network:Street-Address:120 N LaSalle St Ste. 1250
network:City:Chicago
network:State:IL
network:Postal-Code:60602
network:Tech-Contact:ZC108-ARIN
network:Updated:2007-09-18 17:09:29
network:Updated-by:jknowles

This shows that the network block is assigned to "Ambiron, LLC". More googling leads to a press release on the Trustwave website announcing that in March of 2005 Trustwave and Ambiron merged. So the hits are coming from ips addresses owned by the company that is performing our PCI DSS security scans.

Nothing to see here folks. :)

No comments: